Tapas: design, implementation, and usability evaluation of a password manager

Asia-Pacific Computer Systems Architecture Conference Pub Date : 2012-12-03 DOI:10.1145/2420950.2420964

D. McCarney, David Barrera, Jeremy Clark, S. Chiasson, P. V. Oorschot

{"title":"Tapas: design, implementation, and usability evaluation of a password manager","authors":"D. McCarney, David Barrera, Jeremy Clark, S. Chiasson, P. V. Oorschot","doi":"10.1145/2420950.2420964","DOIUrl":null,"url":null,"abstract":"Passwords continue to prevail on the web as the primary method for user authentication despite their well-known security and usability drawbacks. Password managers offer some improvement without requiring server-side changes. In this paper, we evaluate the security of dual-possession authentication, an authentication approach offering encrypted storage of passwords and theft-resistance without the use of a master password. We further introduce Tapas, a concrete implementation of dual-possession authentication leveraging a desktop computer and a smartphone. Tapas requires no server-side changes to websites, no master password, and protects all the stored passwords in the event either the primary or secondary device (e.g., computer or phone) is stolen. To evaluate the viability of Tapas as an alternative to traditional password managers, we perform a 30 participant user study comparing Tapas to two configurations of Firefox's built-in password manager. We found users significantly preferred Tapas. We then improve Tapas by incorporating feedback from this study, and reevaluate it with an additional 10 participants.","PeriodicalId":397003,"journal":{"name":"Asia-Pacific Computer Systems Architecture Conference","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-12-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"56","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Asia-Pacific Computer Systems Architecture Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2420950.2420964","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 56

Abstract

Passwords continue to prevail on the web as the primary method for user authentication despite their well-known security and usability drawbacks. Password managers offer some improvement without requiring server-side changes. In this paper, we evaluate the security of dual-possession authentication, an authentication approach offering encrypted storage of passwords and theft-resistance without the use of a master password. We further introduce Tapas, a concrete implementation of dual-possession authentication leveraging a desktop computer and a smartphone. Tapas requires no server-side changes to websites, no master password, and protects all the stored passwords in the event either the primary or secondary device (e.g., computer or phone) is stolen. To evaluate the viability of Tapas as an alternative to traditional password managers, we perform a 30 participant user study comparing Tapas to two configurations of Firefox's built-in password manager. We found users significantly preferred Tapas. We then improve Tapas by incorporating feedback from this study, and reevaluate it with an additional 10 participants.

查看原文本刊更多论文

Tapas:密码管理器的设计、实现和可用性评估

尽管密码在安全性和可用性方面存在众所周知的缺陷，但它仍然是网络上用户身份验证的主要方法。密码管理器提供了一些改进，而不需要服务器端更改。在本文中，我们评估了双重拥有认证的安全性，这是一种不使用主密码而提供密码加密存储和防盗窃的认证方法。我们进一步介绍Tapas，这是一种利用台式电脑和智能手机的双拥有身份验证的具体实现。Tapas不需要服务器端更改网站，不需要主密码，并且在主设备或辅助设备(例如，计算机或电话)被盗的情况下保护所有存储的密码。为了评估Tapas作为传统密码管理器替代品的可行性，我们对30名参与者进行了用户研究，将Tapas与Firefox内置密码管理器的两种配置进行了比较。我们发现用户明显更喜欢Tapas。然后，我们通过纳入本研究的反馈来改进Tapas，并与另外10名参与者一起重新评估。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Asia-Pacific Computer Systems Architecture Conference

自引率

0.00%

发文量